Last month in Boston I spoke to a group of board directors. It was a room filled with real pros—men and women who serve on the boards of major companies. Many of them serve on more than one board, and I met several people who sit on four.
Their interest in cyber security was high—the issue is definitely on their radar. Some were more knowledgeable than others. But all seemed to appreciate the severity of the problem, and were eager to learn what they could do to help.
I gave the day’s opening keynote, talking about the current state of information security (not good), and suggesting that cyber security is now a board-level issue. No one disagreed.
The attendees were an impressive group—I wish members of Congress were half as smart and dedicated—but for the most part, they had no idea what their boards should be doing to protect against cyber attacks and prevent data loss.
After giving this matter some thought since the event, here are my recommendations of what board directors can do to improve cyber security:
- Require that management provide the board with IT performance metrics, just as it provides financial metrics. If you want an internal function to improve, first you need to measure it.
- Create a cross-functional cyber security leadership group within management that reports directly to the CEO, but which also meets periodically with the board. This group’s primary mission is to make sure that the enterprise’s cyber defense efforts are well coordinated, across departments. A secondary purpose is to provide board directors with direct access to key cyber security decision-makers.
- Provide leadership regarding internal human cyber risk. SANS’ research director Alan Paller said recently that over 90% of all major cyber attacks are caused by human error. Human error is a huge problem, and boards can help jump-start efforts to reduce this risk.
- Hire the best CISO (Chief Information Security Officer) that you can find, and make sure he or she has excellent communication skills. Information security is a critical function of every department, and the CISO must be as much teacher and evangelist as technician.
- Be proactive. Send a message from the top. Cyber security is important. Don’t merely wait for the next attack to respond. Start asking to see attack mitigation plans (because you will be attacked); ask you internal cyber experts if compliance to your industry’s standards is enough to assure real protection (it’s not); get to know that new CISO you hire; ask questions about cyber security, at every opportunity.
These measures can help reduce existing cyber vulnerabilities. But the larger value of taking these actions is that they will begin to get the board directly engaged in cyber security issues. Because when a hack hits the fan, and Wall St. and the SEC are calling, the board will have a critical role in making the fast, smart decisions necessary to reassure customers, and preserve corporate value.